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Abstract 

This work presents a new, simple 0(log 2 |G|) algorithm, the Fibonacci cube algorithm, for 
producing random group elements in black box groups. After the initial 0(log 2 \G\) group op- 
erations, e-uniform random elements are produced using Q((log 1/e) lo g |G|) o perations each. 
This is the hrst major advance over the ten year old result of Babai |Bab9l| , which had re- 



quired 0(log 5 |G|) group operations. Preliminary experimental results show the Fibonacci cube 
algorithm to be competitive with the product replacement algorithm. 

The new result leads to an amusing reversal of the state of affairs for permutation group 
algorithms. In the past, the fastest random generation for permutation groups was achieved as 
an application of permutation group membership algorithms and used deep knowledge about 
permutation representations. The new black box random generation algorithm is also valid for 
permutation groups, while using no knowledge that is specific to permutation representations. 
As an application, we demonstrate a new algorithm for permutation group membership that is 
asymptotically faster than all previously known algorithms. 

1 Introduction 

Quickly finding an element of a black box group is a problem of critical importance for many 
randomized algorithms for mathematical groups. (Black box groups are defined later.) Random 
group elements are especially important for computations with finite matrix groups, where few 
efficient deterministic algorithms are known. 

Researchers requiring generation of such random elements tended to have a split personality. 
On the one hand, one could chose a theoretically sound algorithm with a complexity that was 
far too high to be practical. The best previous theoretical algorithm required 0(log 5 |G|) group 



multiplications to produce a random element [Bab91]. On the other hand, one could choose a 
heuristic for random elements such as the product replacement algorithm CLGM + 95|, which could 
be demonstrated to have a bias away from the uniform distribution [BP02], but was "good enough" 
in practice. 

This paper presents a simple 0(log 2 |G|) algorithm, the Fibonacci cube algorithm, which is easy 
to program. After the initial O (log 2 \G\) group operations, e-uniform random elements are produced 



using O ((log log | G\) operations each. The algorithm is in Section 3.1. The main theoretical 



result is Theorem 7.3. The theoretical analysis of this paper currently has an unacceptably high 



coefficient of complexity, although experimental results show it to be competitive with the product 
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replacement algorithm. The conclusion points out opportunities to lower the theoretical coefficient 
by refining the complexity analysis. 

A black box group is a group with an associated oracle, in which group elements are encoded as 
binary strings of some uniform length L. The oracle can multiply, find inverses, and compare an 
element with the identity. Note that this implies an upper bound of 2 L on the group order. 

A common use of black box groups is to model finite matrix groups over finite fields. A 
matrix group, GL(d, q) (dimension d over GF(g)), is a black box group with an encoding of length 
L = d 2 log 2 q, and its order is a priori bounded by 2 . Almost every paper in the recent development 
of matrix group algorithms assumes the availability of a random generation algorithm. In particular, 
the matrix recognition project [LG01] is a project to recognize matrix groups in GL(d, q) for values 



of d up to approximately 100, and for moderate size values of q. That project relies heavily on the 
ability to compute nearly random group elements. 

Surprisingly, even in the regime of permutation groups, the new black box algorithm for random 
generation is faster than the best know permutation algorithm both for the case of large and small 
base. Let n be the permutation degree. For large base, log |C| < nlogn, and so we have random 
generation in 0(n 3 log 2 n). For small base, if we assume a base size of O(logn), then log |G| < log 2 n. 

Let G = (S) be a finite black box group. We use Pr(-) to notate probability and E(-) to notate 
expectation. Random variables are denoted by capital letters, while group elements are denoted 
by lower case letters. Let U be a random variable on G with uniform distribution. We use the 
notation A C G for a proper subset of G and 4CG for a subset of G. Similarly, H < G denotes a 
proper subgroup of G and H < G denotes a subgroup of G. 

1.1 Previous work 



The first polynomial time algorithm for random group elements was demonstrated by Babai [Bab91|. 
It runs in time 0(log 5 |G|). Unfortunately, the high complexity means that this algorithm is not 
used in computations. As Babai wrote in the Handbook of Combinatorics [Bab95|: 



Reducing the exponent 5 would be of great significance since many algorithms in com- 
putational group theory rely on "randomly chosen" elements from the group. [Pab95| 



A second heuristic, product replacement, was then proposed by Celler et al. | CLGM + 95[1 as a 
practical way to find random elements of G. 

Other researchers asked how fast a product replacement algorithm would approach a uniform 
distribution in the class of generating fc-sets for G. Note that such a random A:-set is distinct from a 
random group element. Diaconis and Saloff-Coste showed the algorithm to produce nearly random 



generating /c-sets in sub-exponential time [DSC98], and Pak then showed it to operate in polynomial 



time [PakOO]. Pak requires the use of a /c-tuple in which k = il(log |G| log log |G|). When k = 
0(log|G|loglog|G|), he achieves his best time of 0(log 9 \G\ (log log |G|) 5 ). Babai and Pak pP02 l 



presented an important obstacle, whereby for the limiting distribution of fe-sets, individual group 
elements are shown to be biased away from the identity. 

1.2 Outline of contents 

The primary result is Theorem |7.3| . Informally, it shows that one can construct an initial, nearly 
random element using 0(log 2 |G|) group operations with further elements produced in 0(log|G|) 



time. The algorithm is given in Section 6.1. For a high level overview of the approach to the proof, 



see Section S.2 after reading this section. 
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We use the notation XY for the product of two G- valued random variables in analogy with gh 
for g,h G G. To illustrate the notation, if E is a {0, l}-random variable, then XY E = h if X = h 
and E = 0, while XY E = hg if X = h, Y = g and E = 1. 

Although the algorithm for generating random group elements is a simple one, its justification 
is not simple. We will develop a sequence of random variables TZq,TZi, . . . such that TZq is fixed 

E ■ 

at the identity and lZi + \ = TZig i 1 where § G G is chosen from a random distribution based on 
IZi and Ei is a uniform random variable on {0, 1}. The E\,E%,... are pairwise independent and 
independent of the other random variables. For some fixed t = ^(log \ G\), g El • ■ ■ gf l is a nearly 
uniform random variable on G, and computing an element from its distribution requires at least t 
group operations. 

Section § provides some easy, well-known lemmas which form the foundation for the rest of the 
paper. The £ 2 norm, ||X||, of a random variable X is defined in Section 2.2, along with some easy 
lemmas about it. One easily shows that \\1Zi\\ is monotonically non- increasing as a function of i. 
The £ 2 norm had previously been used by Diaconis and Saloff-Coste to analyze random walks on 
groups 1DSC931 - 

The primary goal of the proof is to show that ||7£j+i|| < c||7£j|| with probability at least p > 
for some positive c < 1. Section |6.2| outlines the ideas of that proof. Section |(0| provides that proof 
and concludes with the formal statement in Lemma |6.2| showing that for t = Q((l/c) log \ G\), IZt is 
semi- uniform. (Pv(TZt = g) is bounded away from 0.) That lemma then yields the main theorem, 
Theorem |7.3| . 

The main result relies on some technical results from Sections || to |5[ As a matter of notation, 
we reserve upper case letters E, I, J, K, T through Z and IZi for random variables. 

Section || makes various assumptions on X and W . It then asks for what positive a < 1 
and p > can one conclude that for g drawn from the distribution of W, \\Xg E \\ < a||X|| with 
probability at least p. Here, E is an independent random variable on {0, 1}. 

Section |3| asks the following question. Let X and Y be random variables on G and let J be a 
random variable on {0, 1}. (Often, we will take Pr(J = 0) = 1/2 and Pr(J = 1) = 1/2.) Assume 
that TZi has the same probability density function as X J Y 1 ~ J . (Note that the notation X J means 
that X J = X when J = 1, and X J is the group identity element when J = 0.) If < a||X|| 

for some < a < 1, then for what (3 is it true that HT^j^H < /?||7£j||? In order to state the results 
more generally, that section writes Z for IZi and W for gf l . As will be seen, Section ^. 

Section |5| worries about the unusual case of being "stuck" in a proper subgroup. The fixed 
{g%, . . . , gi} constructed to define the series 1Z±, . . . , TZi + \ can all be contained in a proper subgroup. 
In such random gi + i drawn from Hi+i will also be in the proper subgroup. Further, if 

7£j+i has only a small probability of lying outside a proper subgroup, then the same problem arises. 
The solution is to use the generators of G to construct a group element gi ^ A, whereupon Xgf 1 
is smaller than X in the £ 2 norm. We use random subproducts (Definition [l]) as an efficient way to 
construct a gi ^ A. 

Section |B| contains Theorem 5.2, which may have independent interest. Informally, it states that 
for a set AC. G with A = A -1 , either a random (u,v) G A x A satisfies uv ^ A with at least some 
positive probability, or else A is close to a subgroup A' with A' A' a subgroup of G. 

Section ^ demonstrates the Fibonacci Cube algorithm, which constructs the gi in the definition 
of IZi. This is the main algorithm. This is enough to show that 7ZT l 7Zt is semi-uniform for 
sufficiently large t. 

Section ^ shows how to construct e-uniform random elements from e-semi-uniform random 



elements. It then summarizes the previous results in the main theorem, Theorem 7.3. Theorem 7.1 



of that section is of independent interest, since it shows how to efficiently construct a uniform 
random variable from a semi-uniform random variable. 
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Section [|| presents some initial experimental results applying the Fibonacci cube algorithm to 
conjugacy classes. After a precomputation of about 100 group operations, one produces independent 
pseudo-random elements costing 20 group operations per random element. Those elements satisfy 
the x 2 goodness of fit test as having a distribution over the conjugacy classes that is close to 
uniformly random. 

Section || produces a 0(log 2 |G|) random generation algorithm for a variation of the product 
replacement algorithm, and Section [l^ describes how to use the new Fibonacci cube algorithm 
to produce what is currently asymptotically fastest group membership algorithm — both for the 
general (large base) case and the special case of small base groups. 



2 Preliminaries 

The following easy lemmas and theorems are included for completeness. Note that throughout this 
paper, random variables are always denoted by upper case letters E, I, J, K, T through Z and 
by Ki. 

2.1 Probability and e-uniform random variables 

The following lemma is well-known and has an easy proof. 

Lemma 2.1 (Markov's inequality) Let £ be a nonnegative random variable and A > 1 a real 
number. Then 

Pr(£> AE(0) < T- 



Corollary 2.2 Let £ be a random variable on the interval [0, 1] and A > 1 a real number. Then 

Pr(£>l-AE(l-£))>l-i 
Proof: Let ( = 1 — £ and note that ( is nonnegative. Then Pr(£ > 1 — AE(1 — £)) > 1 — v O 

Pr(l - c > i - Ae(C)) > 1 - i & Pr (C < ae(0) > i - x & Pr (C > ae(0) < h and the last 

inequality follows from Markov's inequality. □ 



Theorem 2.3 (Chernoff's Bound | Che52 ]) Let St be a random variable equal to the number 
of successes in t independent Bernoulli trials in which the probability of success is p (0 < p < 1). 
Let < e < 1. Then 

Pr(S t < L(l-e)ptJ) <e- eV/2 . 



Definition 1 A random subproduct on an ordered set S = {g±, . . . , g^} Q G is given by gl 1 ■ ■ ■ g^ k 
for €i independent, uniform random variables on {0, 1}. (Pr(e, = 0) = 1/2 and Pr(ej = 1) = 1/2.) 

The following is a generalization of Proposition 2.1 of Cooperman and Finkelstein [ CF93[ . 

Lemma 2.4 (random subproduct) Let H be a proper subgroup ofG = (S) and let r be a random 
subproduct on S. Then with probability at least 1/2, \Hr \ H\ > \H\/2. 
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Proof: Let S = {gi, . . . , <%} and let j < k be the largest integer such that <?j ^ .H". Decompose 
the random subproduct r = g^ 1 ■ ■ ■ g^ k as r = ug^v. If \Hu \ H\ > |i?|/2, then with probability 
1/2, e, = 0, which implies \Hr \H\ = \Hu \ H\. If \Hu \ H\ < \H\/2, then with probability 1/2, 
ej = 1, which implies \Hr \H\ = \Hu gj \H\> \Hu D H\ = \H\ - \Hu \ H\ > \H\/2. □ 

Lemma 2.5 Let X and Y be independent random variables on G. Then min^gc Pi(X = h) < 
Pi(XY = g) < max/jgc Pr(X = h) for all g G G. Similarly, mxn heG P?(Y = h) < Pr(XY = g) < 
max/j gG Pr(y = h). 

Proof: Note Py(XY = g) = J2heG Pr (^ = h ) Pr(XY = g) = J2heG Pr ( x = h and Y = h~ l g) = 
J2heG Ft ( x = h ) Pr <X = h- l g). Further, min hgG Pr(Y = h) = min hgG Pr(X = h) x 

E /eG Pr(y = r 1 5 ) < E/ eG Pr(^ = /)Pr(y = /- 1 5) < max fteG Pr(X = h) x 
Pr (^ = f~ X g) = m ax/i gG Pr(X = /i). A similar argument holds for min/j gG Pr(Y = /i) 
and max/ igG Pr(y = /i). □ 



Lemma 2.6 (Babai and Szemeredi [ jBS84| ]) The following holds: g </ A" 1 A O Ag Pi A = $ o 

\Ag\A\=2\A\. 

The proof is clear. 

Definition 2 ^4 random variable on a group G is an e-uniform random variable if | Pr(X = g) — 
1/|C| | < e/\G\ for all g G G. Note that a 0-uniform random variable is just a uniform random 
variable. 



Lemma 2.7 (e-uniform random variable) Let U and V be independent random variables on a 
group G and let e > 0. IfUis an e-uniform random variable, then UV and VU are also e-uniform. 

Proof: | Pi(UV = g) - l/\G\\ = £ hgG (| Px{U = h) - l/\G\) Pi(V = br x g) = (| Pr(tf = h) - 
l /\G\)(EheG P *( v = h^g)) < el/\G\. A similar argument follows for VU. □ 

The next lemma shows that once a random variable U is found to be uniform on A for \A\ > 
\G\/2, U~ 1 VU is e-uniform for arbitrary random variable V. 

Lemma 2.8 Let a be a constant satisfying 1/2 < a < 1. Let A be a subset of a group G such that 
\A\ > a\G\. Let U\, U 2 and V be independent random variables on G. Let U\ and U 2 be uniform 
on A with Pi(U\ = g) = Pv(U 2 = g ) = for g £ A. Then 

Hence, U{ 1 VU 2 is a (1 — a) j a-uniform random variable on G. 

Proof: Note that \A\ > a\G\ implies \A n Ag\ > {2a - l)\G\. So, Pt:(VU 2 G Ag) > (2a - 1) x 
\G\/\A\ > (2a - l)/a. Since U x and U 2 are independent, Pi(U{ 1 VU 2 = g) = Pr{VU 2 = U x g) = 
Pi(VU 2 G Ag)/\A\ > ((2a - l)/a 2 ) /\G\. Also Pt(U{ 1 VU 2 = g) = Pi(VU 2 G Ag)/\A\ < 1/\A\ = 
(l/a)/\G\. Subtracting 1/\G\ from the lower and upper bounds on Pv(Ui 1 VU 2 = g) completes the 
proof. □ 

In fact, Lemma |2.8| can easily be generalized to U\ uniform on A\ for \A\\ > a\\G\ and U 2 
uniform on A 2 for \A 2 \ > a2|G|, but the existing form suffices for our purposes. 
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2.2 The £ 2 norm 

Let R denote the real numbers. Recall that the £ 2 norm on v = (vi,...,Vk) G R k is \\v\\2 = 
\JYm,=i{ v i) 2 ■ Let X be the set of G-valued random variables for G a group. Define the function tp 
as the natural function from X to i?' G ', the |G|-dimensional vector space over the reals. Hence, if 
X £ X and G = {51,52, • • • ><?|G|}) then define: 

<p(X) = (Pr(X = 5l ),Pr(X = 52 ),...,Pr(X = <7| G |)) 

11*11 = MX)\\ 2 = (Pr(X = 5 )) 2 

Note that ||-X"Y|| is a norm under multiplication, since ||-X"Y|| = ||(/?(XY)||2 < ||</?pT)||2 ||</?(Y)||2 = 
||X|| ||Y|| by the Cauchy-Schwartz inequality. 

Observe that for two G- valued random variables X and Y, 

\\XY\\ = || E <P(Xg) Pr(Y = 5)I|2 = ||E <P(9 Y ) Pr ( X = 5)112- 

g£G g&G 

Lemma 2.9 For X a random variable on the group G and g G G, \\X\ \ = ||X _1 || = ||-Xg||. 

Proof: \\X\\ 2 = E h6G (Pr(^ = h)) 2 = Y, heG {?r{X^ = h' 1 )) 2 = \\X^\\ 2 . Similarly, ||X|| 2 = 
E, eG (Pr(X = h)) 2 = Z heG (Pr(Xg = hg)) 2 = \\Xg\\. □ 

Lemma 2.10 If X andY are independent G -valued random variables for G a group, then ||-X"Y|| < 
min(|LY||,||Y||). 

Proof: By the triangle inequality, ||XY|| = || £ ffeG <p(Xg) Pr(Y = g)\\ 2 < £ geG | \<p(Xg)\\ 2 x 
Pr(Y = g) = ||X||£ 9gG Pr(Y = 9) = \\ x \l and similarly \ \XY\ \ <\\Y\\. □ 

Lemma 2.11 Let X be a random variable on G. If Pi(X = g) < m for all g G G, then \ \X\ \ < \fm. 

Proof: \\X\ \ is maximized when Pr(X = g) = m or Pt(X = g) = for all g G G except at most one 
g' G G for which < Py{X = g') < m. To see this, let Y be a random variable with Pr(Y = g) < m 
such that ||Y|| is maximal. If x\ = Pr(Y = gi), x 2 = Pr(Y = g 2 ), < x\ < m, < x 2 < m and 
< 5 < x 2 , then (xi + 5) 2 + (x 2 - 5) 2 = x\ + x\ + 2(xi - x 2 )<5 + 25 2 > x\ + x 2 when xi > x 2 . This 
violates maximality of ||Y||. So there is at most one g' G G such that < Pr(Y = g') < m. Let 

Pr(Y = g') =m' < m. Then ||Y|| = ^m' 2 + ((1 - m')/m)m 2 < ^fm. □ 

Definition 3 The support of a random variable X on a group G is the set 

supp(X) = {g G G: Pr(X = g) > 0}. 



Lemma 2.12 Let X be a random variable on G. Then \ \X\\ > 1/ \/| supp(X)| . 

Proof: Let U be the uniform random variable on supp(X) and observe that Pr(?7 = g) = 
l/|supp(X)| for g G supp(X). Taking the inner product of (j>(JJ) and <j>(X), the result follows 
from l/|supp(X)| = <j,(U) ■ </>(X) < \ \U\\ \\X\\ = \\X\\/y/\supp(X)\. The inequality <f>(U) • <f>(X) < 
\\U\ \ \ \X\\ is the Cauchy-Schwartz inequality. □ 
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3 Reduction of probability in the £ 2 norm 



In this section, we derive estimates of the form HXg^H < a||X|| for E a uniform {0, l}-random 
variable and for fixed g drawn from the distribution of W, with probability at least p > 0. The 
positive parameters a < 1 and p depend on the choice of X and W . In applications, we will find 
X, Y and J such that 7£j has the same distribution as X J Y 1 ~ J . Having shown H^g^H < a||X|| in 
this section, Section || will allow us to conclude ||7£i<?f''|| < with probability at least p > 0. 

Lemma 3.1 Let X and W be independent random variables on a group G. Let E be a {0, 1}- 
random variable and let X and E be independent. The notation P>gew{f{g)) denotes E(/(W)) 

for the function f: G —* R into the real numbers R. Hence, E g ew{\\Xg E \\ 2 ) = f E(/(W)) for 
f{g) = \\Xg E \\ forge G. Then 

V g ew(\\Xg E \\ 2 ) = ((Pr(£ = 0)) 2 + (Pr(£ = l)) 2 )||X|| 2 + 



J2 2 Pt(E = 0) Pv(E = 1) Pr(X = h) Pr(XW = h) 

heG 

Proof: Lemma tells us that \\X\\ = 1 1 ^^e? 1 1 1 - Without loss of generality, we can take X and 
W as independent. If X and W were dependent, then we would take X' as an independent random 
variable with identical distribution to X, and note that E 5 gvi/ (I l-^'fi 1 ^ 1 1 2 ) = E 9 gvk(| \Xg E | | 2 ). For X 
and W independent, J2 g eG P r (^ = hg^ 1 ) Pr(W = g) = Pr(XW = h). The following equality then 
holds. 



EgeW(\\Xg E \\ 2 ) = Y,[ Pt ( W = 9)Y,( Pi ( X 9 1 

geG \ heG 



<»; 2 



Fv ( w = 9) ( ( Pr (^ = °) Fr ( x = h )) z + ( Pr (^ = l ) Fi ( x = h 9^)) 2 + 

geG heG ^ 



2Pr(£ = 0) Pr(E = 1) Pr(X = h) Px(X = hg' 1 ' 
Y ?r(W = g)(Pr(E = 0)f\\X\\ 2 + £ Pr(W = g)(Pv{E = l)) 2 ^- 1 !) 2 + 

geG geG 

J2 2 P?(E = 0) Pv(E = 1) Pr(X = h) Pi{XW = h) 

heG 

((Pr(£ = 0)) 2 + (Pr(E = l)) 2 ) ||X|| 2 + 

J2 2 P?(E = 0) Pr(E = 1) Pr(X = h) Pi{XW = h) 

heG 



□ 



Theorem 3.2 Let X, W and Z be random variables on a group G. Let E be a uniform {0, 1}- 
random variable and let X and E be independent. Let A > 1 and let g 6 G be drawn from 
the distribution of W . Let (f> = Pr(XW £ supp(X)). Let Z have a density function such that 
Pi(Z = g) = Pv(XW = g)/<t> for g £ supp(X) and Pr(Z = g) = for g £ supp(X). (The random 
variable Z can be thought of as XW conditioned on the event XW £ supp(X).) Let \ \Z\\ < c\\X\\. 
Then with probability at least 1 — 1/ X, 
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Proof: Note £ hGG Pr(X = h) Pr(XW = h) < Y^heG Pr(X = /i) Pr(Z = h)4> < 0||X||||Z|| < 
cc/>||X|| 2 , where the first inequality holds due to the Cauchy- Schwartz inequality. From Lemma 3.1 



E g& w(\\Xg E \\ 2 ) < \\X\\ 2 (l + ccj))/2. Define the function f{g) = \\Xg E \\ 2 from G to the real num- 
bers. By Markov's inequality, Pr(/(W) > A(||AT|| 2 (1 + cc/>)/2)) < 1/A, from which the theorem 
follows. □ 

The estimate of the next corollary is used for Case 2 in Section B. 



Corollary 3.3 Assume the same hypotheses as Theorem \3. with the exception that XW is re- 
placed by WX in the definition of <fi and of Z . Then with probability at least 1 — 1/A, 



\\9 E X 




Proof: Replace X by X , W by W , and g by g 1 in Theorem 3J2. Then <f> = 
Pr(WX E supp(AT)) and Pr(Z- 1 = g) = Py(WX = g)/<j> for g E supp(AT) and Pr(Z" 1 = g) = 
otherwise. So ||Z _1 || = \\Z\\ < c||X||. Also = Hg^XH, where the last follows from 

Lemma [2.9|. So, the result follows from Theorem |3.2| by considering Z" 1 instead of Z. □ 



Lemma 3.4 Under the assumptions of Lemma 3.1, and assuming m > Pr(W = g) for all g E G, 
E g&w {\\Xg E \\ 2 ) < ((Pr(£ = 0)) 2 + (Pr(E = l)) 2 ) ||X|| 2 + 2mPr(E = 0) Pr(E = 1) 



Proof: The lemma follows from Lemma 3.1 and Pr(XW = h) = J2 g eG P r (^ = fiO Pr(AT = hg 1 ) < 
mJ2 geG Pi(X = hg- 1 ) = m. □ 

The estimate of the next theorem is used for Case 1 in Section ^. 

Theorem 3.5 Let X and W be random variables on a group G. Let E be a uniform {0, 1} -random 
variable and let X and E be independent. Assume Pr(W ^ supp(AT)) > 5. Assume further that 
Pr(W = g) = max/jgc Pr(VF = h) for all g E supp(AT). Let A > 1 and let g E G be drawn from the 
distribution ofW. Then with probability at least 1 — 1/A, 



\\Xg E \\<^\{l-5/2) 



\X\ 



Proof: Let m = max fl6 G Pr(VF = g). Then m\ supp(X)| + 8 < 1. So | supp(AT)| < (1 — S)/m. 
Next, ||A"|| 2 > 1/| supp(A")| > m/(l - 6) by Lemma |2T2j. So, m < (1 - <5)||A"|| 2 . Combining this 



inequality with Lemma and Pi(E = 0) = 1/2 yields E g£ w(\ \Xg E \ | 2 ) < (1/2)||X|| 2 + m/2 < 
(1 — (5/2)| |X|| 2 . By Markov's inequality (Lemma ^^), this implies for the function f(g) = \ \Xg E \\ 2 
from G to the real numbers, that Pr(/(W) > A(l — S/2)\ \X\ | 2 ) < 1/A. This is equivalent to 
Pr(/(W) < v/A(l - 5/2) ||X||) >l-\, from which the theorem follows. □ 



4 Decomposition of a random variable 

One key to this paper is that given random variables Z and X, we can decompose Z into X and a 
new random variable Y, subject to a certain "domination condition". In this section, the variable Z 
plays the role of IZi in the main algorithm, and the variable W plays the role of g Ei in the main 
algorithm. Hence in the application to the main algorithm, W can have only two values, gi and 
the identity element. Further, Pr(VF = gi) = Pr(Ei = 1). 
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Definition 4 For X and Y random variables on a group G, the statement X = Y means Vg E 
G, Pr(X = g) = Pr(Y = g) (i.e. X and Y are identically distributed). 



Lemma 4.1 (decomposition) Let Z and X be random variables on a group G and let I be a 

{0, 1} -random variable with I independent of X . Assume that Pr(7 = 1) Pr(X = g) < Px(Z = g) 
for all g E G. Then there is a decomposition of Z such that Z P = b X I Y 1 " 1 for all g E G, where Y 
is a random variable on G independent of I and is unique up to probability density. 

Proof: Choose Y independent of X and I to have a probability density function satisfying 
Pr(J = 0) Pr(Y = g) = Pr(Z = g) - Pr(I = 1) Pi{X = g). □ 

In Section ||, this lemma will be used repeatedly for such decompositions as TZ{ P = b X I Y X ~ I . 
This allows us to draw a g E G from the distribution of TZi with the knowledge that with probability 
Pr(J = 1), it is as if the group element had been drawn from the distribution of X. Since we can 
choose X arbitrarily subject to the domination condition Pr(I = 1) Pr(X = g) < Pr(7£j = g), this 
gives us a lot of flexibility. 

Once an e- uniform random variable is available for some e < 1, the next lemma shows how to 
iterate to improve the uniformity. 

Lemma 4.2 Let X and Y be independent random variables on a group G. Let X be 5-uniform 
and Y be e-uniform. Then XY is a de-uniform random variable. 

Proof: Let U, V, L and J be independent random variables. Let U and V be uniform on G 



and let / and J be on {0, 1}, where Pr(7 = 0) = 6 and Pr(J = 0) = e. Further, by Lemma LI 
we can write X P = b U 1 A 1 ' 1 and Y P = b V J B^ J for some random variables, A and B. Note that 
Pr(J = 0)Pr(y4 = g) < 2S/\G\ and Pr(7 = l)Pr(Z7 = g) = (1 - S)/\G\ for all g E G and similarly 
for J, V, B and e. By Lemma |2.7| , UV, UB and AV are all uniform. So there is a {0, 1}- 
uniform random variable W and a {0, l}-random variable K such that XY P = W K {AB) 1 ~ K with 
Pt(K = 0) = Pr(J = and J = 0) = 5s. So Pv(XY = g) > Pv(K = 1) Pi(W = g) = (1 - 5e)/\G\. 
Also Pr(K = 0) Pt{AB = g) < 25e/\G\. So Pr(XY = g) < Pr(K = 1) Px{W = g) + Pt(K = 0) x 
Pt(AB = g) = (l + 5e)/\G\. □ 

The next lemma from linear algebra is a standard calculation on vectors in the £ 2 norm. It is 



needed to prove the succeeding Theorem 4.4, The I vectors of the lemma will correspond to vectors 



of dimension \G\, where a G- valued random variable is considered as (Pr(X = g{), . . . , Pi(X = g\o\))- 

Lemma 4.3 Let c and a be constants. Let x, y, x' and y' be vectors in the £ 2 norm. Assume 
\\x'\\2 < a||x||2, Hy'lb < Hz/lb; and \\x\\2 > c||y||2 for < a < 1 and c > 0. Then \\x' + y'\\2 < 
1 + ac)/y/l + c 2 ) ||x + y|| 2 . 



Proo/: Note that ||x|| 2 + ||y|| 2 < ((1 + c)/Vl + c 2 j + Let d = (c- ac)/(l + c). The 

proof follows from ||x' + y'\\ 2 < \\x' \\ 2 + \ \y' W2 < "Iklb + H2/H2 < (a + d/c)||x|| 2 + (1 — d)||y|| 2 = 
((1 + ac)/(l + c)) (||x||2 + llylb)- Note that for fixed ||x||2 and ||y|| 2 i ||^ + 2/1 1 2 is minimized 
when x and y are perpendicular. In this case, define d such that ||x|| 2 = c'||7/||2 and observe 

< 



that ((l + oc)/(l + c)) (|N| 2 + ||y|| 2 ) = ((l + ac)/(l + c))((c' + 1)/ Vc' 2 + 1)^| \x\ \ 2 2 + | |y| 
((l + ac)/Vl + c 2 ) ^/||a;||l + ||y||i = ((1 + ac)/Vl + c 2 ) ||x + y||2. □ 
The estimate of the next theorem is used for Cases 2 and 3 in Section @. 
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Theorem 4.4 Let X, Y , Z and W be random variables on a group G and let J be a {0, 1} random 

variable. Let X, Y , W and J be independent, and let Z P = X J Y 1 ~ J . Let ||XW|| < and 
Pr(J = 1)||X|| > cPr(J = 0)||y|| for some < a < 1 and c> 0. Then 

\\ZW\\ < ((l + ac)/Vl + c 2 ) \\Z\\. 

Proof: By Lemma ^TTo|, ||yW|| < By Lemma \\ZW\\ = || Pr(J = l)ip(XW) + 

Pr(J = 0)<p(YW)\\ 2 £ ((1 + ac)/vT + ^) ||Pr(J = l)<p(X) + Pr( J = 0)<p(Y)\ | 2 
(fl + etc) />/! + <?) \\Z\\. □ 

The estimate of the next theorem is used for Case 1 in Section ^. 

Theorem 4.5 Let X, Y , Z and W be random variables on a group G and let J be a {0, 1} 
random variable. Let X , Y, W and J be independent, and let Z P = b X J Y 1 ~ J . Assume constants 
m, c and a satisfying the following. Let Pr( J = 0) Pr(Y = g) < m for all g G G, and further let 
Pr(J = 0)Pr(T = g) = m when g £ supp(X). Let \\XW\\ < a\\X\\ for some < a < 1. Let 
c = (1 - a 2 ) (Pr(J = l)) 2 /(m|,4| Pr(Z £A) + 1) for A = supp(X). Then 

\\zw\\ <VY^c\\z\\ 

Proof: Note that Pr( J = 0) Pv(YW = g) = Pr(J = 0) J2 heG Pr(Y = h) Pi{W = h~ l g) < 
m J2heG P r (W^ = h g) = m. Since Pr(X = g) = for g ^ supp(X) and Pr( J = 0) Pr(Y = g) = m 
for g £ supp(X), we have 

J2 2 Pr(J = 1) Pr( J = 0) Pr(XW = g) Pi{YW = g) 

g eG 

< 2mPr(J = 1) Yj P?(XW = g) 

geG 

= 2mPr(J=l) 

= 2mPr(J=l) Fl ( X = 9) 

gesupp(X) 

= 2 Pr( J = 1) Pr( J = 0) ^ Pr(X = g) Pr(Y = 5 ). 

geG 

By Lemma |2~T0|, ||YW|| < Hence, 

\\ZW\\ 2 = ||Pr(J= l)ip(XW) +Pr(J = 0)ip(YW)\\l 

= ( Pr ( J = X ) Fr ( XW = 9)+ p r(J" = 0) Pr(YW = g)) 2 
geG 

= (Pr(J = 1)||W||) 2 + (Pr(J = 0)||YW||) 2 + 

^ 2 Pr(J = 1) Pr( J = 0) Pr(Xiy = #) Pr(Y W = g) 

geG 

< a 2 (Pr(J = l)||X||) 2 + (Pr(J = 0)||y||) 2 + 

J2 2 Pr( J = 1) Pr( J = 0) Pr(X = g) Pr(Y = g) 

geG 

= ||Z|| 2 -(l-a 2 )(Pr(J = l)|pf||) 2 

< (l-c)ll^ll 2 
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providing (1 - a 2 ) (Pr(J = 1)||X||) 2 > c\\Z\\ 2 for c> 0. 

We find such a c. Let A = supp(X). Note that m\A\ + Pr( J = 1) = Pr( J = 0) Pr(Y £ A) + 
Pr(J = 1) < 1. One can show that ||X|| 2 /||Z|| 2 is minimized when X is uniform on A. In this case, 
||X|| 2 = 1/\A\ and we have \\Z\\ 2 < m 2 (Pr(Z $ A)/m) + \A\(m + Pr(J = 1)/\A\) 2 < mVr{Z g A) + 
1/\A\. So, if c = (1 - a 2 ) (Pr(J = l)) 2 /(m\A\ Pr(Z £ A) + 1), then (1 - a 2 ) (Pr(J = 1)||X||) 2 > 
c\\Z\\ 2 . □ 



5 Fuzzy subgroups and escaping from a set 

Section ^ constructs an element g G G such that | \TZig Ei \ \ < c||7^i|| for some c < 1. However, it 
fails if, for example, X, W and XW all have identical distribution. This is part of a larger class of 
examples. If TZi is the uniform distribution on a proper subgroup H < G, then any construction 
of X and W from TZi will fail to produce a g G G with H^g^H < c||7£j||, since \\TZi\\ is already 
minimized among random variables on H < G. Hence, when the methods of Section [| fail, we 
must demonstrate that this implies that TZi is close to a uniform distribution on a proper subgroup 
H < G. 

The following surprising lemma is the key. It shows that if one cannot escape a set A = B~ l B 
with reasonable probability simply by multiplying two random elements of the set A, then one must 
be "stuck" in a proper subgroup. Loosely speaking, either the product of two random elements 
of A "escapes" from the set A, or else A must be a "fuzzy subgroup" of G in the sense that A 
is close in probability to some subgroup of G. In the latter case, we use the generators of G to 
construct a g ^ H so that TZiQ < * "escapes" the set H. 

The proof proceeds by constructing a multiplication table for products of elements of A. If 
gh ^ A for g,h G A, then we think of gh as a "hole" in the multiplication table. We then augment 
the multiplication table to include gh, and show that the number of holes in the multiplication 
table for AU gh has been reduced. 

Lemma 5.1 Let A C G satisfy A = A^ 1 . Let 5 < 1/4. Assume \/g £ A, \Ag \A\ < S\A\. Then 

\AA\A\<-J^\A\. 

Furthermore, A A is a subgroup of G. 

Proof: Define <f>{g) = \{a G A: ag ^ A}\. The hypothesis can be re-phrased as Vg G A, 4>{g) < 5\A\. 
From this it follows that 

Vg, he A, 4>{gh) < <j>(g) + <j,(h) < 25\A\. 

Similarly, for all a,b,c,d G A, tfi(abc) < 35\A\ and (j){abcd) < A5\A\. 

So, for g,h G A such that gh ^ A, there are at least (1 — 25)|A| pairs (u, v) such that gh = uv. 
To see this, note that v = u~ l gh and so we are counting the number of pairs (u,v) e Ax A such 
that vr x gh G A. This number is \A\ - <j>{gh) > (1 - 25)\A\. Hence, \AA \A\< 8/(1 - 2$)\A\ as 
required by the lemma. 

It remains to show that AA is a group. Since it is closed under inverses, we must show that it is 
closed under multiplication. For a, b G A, it is clear that ab G AA. Given a £ A and c, d G AA \ A, 
we must demonstrate membership in three cases: ac, ca, cd G AA. 

We first show that cd G AA, where c = gh, d = uv, c,d G AA \ A and g, h,u,v G A. Note 

def 

that <j)(ghuv) < A5\A\ < \A\. Therefore, 3w G A such that wghuv = x G A. So, cd = (gh) (uv) = 
w~ l x G AA. 
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A similar argument holds to show that co G AA, where c = gh, c G AA \ A and c,g,h G A. It 
follows from noting that cp(gha) < 35\A\ < \A\. Finally, ac = c~ 1 a~ 1 , and so the case of ac reduces 
to the previously proved case of ca. □ 

Remark 1 Examination of the proof shows that the hypothesis could be weakened to 5 < 1/3 or 
further, at the cost of showing that A k is a group for some sufficiently large k. 



One interpretation of Lemma 5.1 is that for random (u, v) G A x A, uv ^ A with some constant 
probability, or AA is close to a group and so ug ^ A with some constant probability for some group 
generator g. 

Theorem 5.2 Let k > 1 and < e < 1 be arbitrary constants and let 5 = (2 + k 2 e)/(k — 2). 
Assume 5 < 1/4. Let A C G = (5) satisfy A = A^ 1 . Then one of the following is true. 

1. Given a random (u,v) G A x A drawn from a uniform distribution, uv ^ A with probability 
at least e. 

2. 3A' C A with \A \ A'\ < 2\A\/k such that A' A' is a subgroup of G. Furthermore 

\A'A'\A'\ < -^—\A'\. 
I \ l - 1 _ 2< yi 1 

Proof: Define B O Ax A such that B = {(g, h): gh G A}. If X 4 \ B\ > e\A x A\, then a 
random (u, v) G A x yl satisfies uv ^ A with probability at least e, and we are done. 
Otherwise, \A x A \ B\ < s\A x A\. Note that ke < 1. Let 

A' = {g G A: |Ag \ A| < fce|il| and | 5 A \ A\ < ke\A\}. 

Note that A' = A'" 1 . Also < 2\A\/k. To see the latter, note that \{g: \Ag\A\ > ke\A\}\ < 

\{(u,g): ug i A}\/{ke\A\) = \Ax A\B\/{ke\A\) <\A\/k. 

Therefore \(A'g n A) \ A'\ < \A\A'\ < (2/k)\A\. Also \A'g\A\ = {g^A' \ A\ < ke\A\ for 
all g E A. Hence \A'g\A'\ < {2/k)\A\ + ke\A\ < ((2 + k 2 e)/k)\A\. But \A\ < |^'|/(l-2/fc) follows 
from \A\ - \A'\ = \A\ A'\ < 2\A\/k. (The coefficient 1/(1 - 2/k) is positive since 5 < 1/4 implies 
that k > 10.) Hence \ A'g\A'\ < ((2 + k 2 e)/{k - 2)) \A'\ = 5\A'\ for all g G A'. 

Since 5 < 1/4 and | A'_g \ ^4'| < S\A'\ for all g G A', we can invoke Lemma 5.1 on A' and conclude 
that A' A' is a subgroup of G. The bounds on lA'A' \ A'\ follow from the same lemma. □ 



Corollary 5.3 Assume A, k and e as in Theorem 5. 1. Letp= (1/2) — (1/k) and let r be a random 
subproduct on S. Assume (u,v) G A x A drawn from a uniform distribution. Let g = u?/r 1_/ for 
I a {0,1} random variable with Pr(J = 1) = p/(p + e). Then g ^ A with probability at least 
pe/{p + e) > e - 2ke 2 /{k - 2). 

Proof: Theorem tells us that uv ^ A with probability at least e or A' A' is a subgroup of G 
with \A \ A'\ < 2\A\/k. In the latter case, r ^ with probability at least 1/2. Hence, with 

probability at least 1/2, for h G A', hr ^ A' A' 5 A'. For -u drawn at random from A, ur ^ A with 
probability at least {l/2)\A\/\A\ = (1/2) - (1/k) = p. 

Let 5 = m/r 1-7 . Then Pr(g G" ^4) > min(ePr(J = l),pPr(I = 0)) = pe/(p + e) = e(k — 
2)/{2ke + k-2) > e - 2ke 2 /(k - 2). □ 



Remark 2 Consider the equation 5 = (2 + k 2 e)/k of Theorem 5.i. The variable e is maximized 
when k = 4/5 + 4. Taking 5 = 1/4 implies k = 20 and e = 1/160 w/ien i£ is maximized. In this 
case, Corollary |5.3| produces a g A with probability at least e > 0.006. 
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6 Fibonacci Cube algorithm for semi-uniform random generation 



We now have all of the algorithmic components outlined in Section [E^. The goal of this section is 
only to construct gi for which gf 1 ■ ■ ■ gf f is semi- uniform. 

Definition 5 A random variable on a group G is an e- semi-uniform random variable if Pr(X = g) > 
1/\G\ —e/\G\ for all g £ G. The random variable is semi-uniform if it is e- semi-uniform for 
some e > 0. 



6.1 Algorithm 

Given a random variable TZi on a group G = (S), we wish to construct gi £ G such that 
W^i9i\\/\\^i\\ < c < 1 for some constant c and for E\, E2, ■ ■ ■ independent uniform {0, l}-random 
variables. By Lemma 2,10| , HT^/i^H < \\TZi\\ for all h E G. Hence, we will construct gi that has 
only some constant probability of satisfying | \TZigf 1 | |/| \TZi\ | < c < 1. We then set TZi + \ = TZigf\ 
knowing that | |7^i+i 1 1 = | \TZigf i \ \ , even if gi did not succeed. We can then try again by constructing 
gi+i- In Case 2 below, we define TZi + i = g i % lZi instead of lZi + \ = 'R-ig i % but this does not change 
the spirit of the algorithm. 

We call the algorithm below the Fibonacci Cube algorithm by allusion to the Fibonacci series. 
Like the Fibonacci series, each group element is derived from the previous elements of the series. 
It is a cube algorithm since IZ-i = hf 1 ■ ■ ■ h^ k for exponents that are independent uniform {0, 1}- 
random variables. The pseudo-code for the algorithm is simple. 



Algorithm Fibonacci-Cube 

INPUT: Black box group G = (S) 

OUTPUT: K^ 1 K t for % an independent copy of K t ; 

[ For large enough t, Pr^" 1 ^ =g)> (3/4)(l - (3) 2 /\G\ for all g G G } 
PARAMETERS: positive constants a, b and c; a and p dependent on a, b and c 
such that ||72.j+i|| < a||7?.j|| with probability at least p 
unless IZ^IZi already satisfies the conditions on 1Z~j~ TZ t 
Let 1Z\ be the identity element with probability 1 
Let t = log I G\/ log a~ 2 P 
For i = 1 to t — 1 
Let d = l/a + l/6 + l/c 
Let j £ 1, 2 or 3 with 

probability l/(ad), l/(bd) or l/(cd), respectively 
Goto Case j 
Case 1: 

Choose gi from distribution of 1Z 
Set TZ i+ i = Hig^ 
Case 2: 

Choose gi from distribution of 1Z 
Set TZ i+ i = gf ir R-i 
Case 3: 

Choose gi from distribution of random subproducts on S 
Set 1Z i+ i = Tligf^_ 
Return IZ^ 1 TZt for TZt an independent copy of TZt 
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Note that the output of the algorithm is in terms of a random variable IZt = hf 1 ■ ■ ■ h Et , where 
(hi, . . . , ht) is a reordering of (gi, . . . ,gt)- So, an implementation of the algorithm would need only 
to record the elements (hi, . . . ,h t ). An element from the distribution TZflZt is then computed as 
(K; 1 )®* ■ ■ ■ (h{ l ) El (hi) El ■ ■ ■ (ht) Et where each of E x , . . . ,E t ,E x , . . . ,E t is independently equal to 
zero or one with probability 1/2. 

The random variable produced by the Fibonacci cube algorithm is used to produce a 7-uniform 



random element. One can then use Lemma 4.2 to produce e-uniform random elements for arbitrarily 
small e. 

6.2 Overview of proof 



The immediate goal is to prove Lemma p.2| , that ||72-i+i|| < c||7£j|| with probability at least p > 
for some positive c < 1. 

In Cases 1 and 2, IZi+i = Ttig E% or IZi+i = g El lZi, for g drawn from W = IZi. In Case 3, 
TZi + i = lZig i 1 for g a random subproduct. The proof proceeds by decomposing both IZi and W as 
follows into products of random variables that are easier to analyze. 



Hi p = x j y x - j 

W = Hi P = W' K T 1 ~ K (Cases 1 and 2 only) 

W = W' is a random subproduct on the group generators (Case 3) 

The general approach in each case is to define X, J, W and K so that ||X^|| < a||X|| for 
some positive a < 1 and for g drawn from the distribution of W' , with probability p > 0. The 
results of Sections || or || are used here (Theorem ^5| for Case 1, Corollary 3^ for Case 2, and 



Theorem ^2 for Case 3). 



Then a result from Section || (Theorem 4.5 or Theorem |Q| ) is used to show that | \Xg Ei \ \ < a\\X\ 



implies \\Uig El \\ < f3\\lZi\\ for some positive < 1 and for g drawn from the distribution of W , 
with probability p > 0. 

Of course, one wishes to draw g from the distribution of W, rather than from the distribution 
of W . Since a group element g drawn from the distribution of W can be 

considered to have been drawn from the distribution of W with probability ¥r(K =1). Hence, 
one observes that the previous result implies that H^g^H < /?||7£j|| for some positive (3 < 1 and 
for g drawn from the distribution of W, with probability pVi(K = 1) > 0. 

At any step of the algorithm, one does not know which of the three cases are satisfied by the 
current IZi. However, this is not a problem. One chooses the recipe of one of the three cases at 



random in deciding how to construct gi and TZi+i- If an incorrect case is chosen, Theorem 2.10 



guarantees that ||7?.i+i|| = \\R-igi \\ < \\TZi\\- So, as long as a correct case is chosen with at least 
some positive probability, the algorithm makes progress. 

The pseudo-code allows one to choose positive parameters a, b and c to determine the ratio of 
the probabilities for choosing each of the three cases. However, the algorithm succeeds with the 
same asymptotic estimates regardless of the choice of a, b and c. 

6.3 Proof 

The analysis of the pseudo-code will be in terms of four parameters, /3, 5 and A, such that 1 > [3 > 
26 > and A > 1. The parameter values will be chosen based on the requirements of the proof. 
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The analysis of Cases 1, 2 and 3 of this section applies for \G\ > max(l/<5, — 8)). The 
analysis finds asymptotic bounds on the time to produce an e-uniform random variable on G. For 
groups with order |G| < max(l/5, l/(/9 — 8)), one can easily show that the pseudo-code succeeds in 
some constant time. 

Definition 6 Define 

A x = {geG: Pr(7^ = g) > x} 

def 

m = rninjx: Pr(7£j ^ A x ) > 8} 



Note that m and A m implicitly depend on IZi, and hence on i. Define A m D A m so that 

VB d A m , Pr(7^ i B) < 8 < Pr(^ ^ A m ). 

This need not uniquely define A m , but any instance satisfying the defining conditions will suffice. 
The condition implies that A m is maximal in the sense that Pr(7£j ^ B) < 8 for all B D A m . 



Lemma 6.1 Assume max 96 c Pi(TZi = g) < 1 — 8. The set A m C G satisfies 

8 < PiiTZi A m ) <S + m. 



Also, 



Further, if m < 8, then 



Pr(7£j = g)>m for g G A m 
Pr(7^j = g) <m for g A m 

8 < Pi(Ki <£ A m ) < 28 



Proof: The first inequality follows easily from the definition of A m and max 5 <=G Pr(7?.j = g) < 1 — 8. 
For the next two inequalities, note that the definition of A m implies there is a g G G such that 
Pr(7£j = g) = m. If there were only one such g, one would have A m = A m . If there are multiple 
such g, then Pr(7£j = g) = m for all g G A m \ A m . The last inequality follows from the first one 
and m < 8. □ 








G 



Figure 1: Probability density function for IZi, shaded part (outside A m ) has area > 8 and outside 
of A m , the area is > 8 

In the rest of this section, we will isolate a "Case 0" to consider m > 8 or max ge G Pr(JZi = g) < 
1 — 5. In all other cases, Lemma [Tl] applies with its conclusion that 

8 < Pr(Ki i Am) < 28. 
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Definition 7 Define the random variable Ub on G for a set B C G by 

Pr(U B = g) -- 



l/\B\ for g G B 
for g $ B 



Recall that 1 > (3 > 25 > and A > 1 below. The parameters (3, 5 and A are fixed throughout. 
The parameter m and the set A m depend on IZi and hence on i. Intuitively, one may think of 
1 — (3 as a constant against which m|A TO | is measured. Similarly, one may think of 5 as a constant 
against which Px(JZi ^ A m ) is measured. One thinks of PiilZi £ A m ) — ml-Ajnl as "large" if it is 
larger than (3 — 5. In each of the three cases, we will construct gi 6G and conclude that there is a 
d < 1 and > such that HT^c/f^H < c'||7£j|| with probability at least p'. 

All cases are described in the following context: 

TZi = X J Y l - J 

gi drawn from W = W ,K T 1 - R 

Certain of the cases will also require V\ and V%, defined as independent random variables 
distributed identically to UA m - The two random variables depend on IZi, and hence on i. 

Case 0: (m > 5 or max Jg G Pr(JZi = g) > 1 — 5) Note that m> 5 implies max Jg G Pr(JZi = g) > 
m > 5. Hence, max^c Pr(7Zi = g) > min(<5, 1 — 5) and this case represents the initial situation, 
when the probability distribution of G still includes at least one group element whose probability 
of occurrence is high. Since 5 is a constant, we need only show that we can make constant progress. 
Specifically, after a constant number of steps, we need to show that max^c Pr(7£j = g) < min(<5, 1— 
5). Lemma 2J3 shows that if this is true for some i, then it will be true for all j >i. 

One can show for arbitrary constant 5 that there large enough constants i and (j), such that 
\G\ > 4> implies max 9£ (3 Pr(7£j = g) < min(5, 1 — 5). We omit the details. 





Figure 2: Case 1: Left shaded part is unnormalized probability density for X; right shaded part is 
unnormalized probability density for W' (shaded parts have area less than 1) 



Case 1: (m < 5 and max sg (j Pr(7£j = g) < 1 — 5 and m|A m | < 1 — 0) Intuitively, if ||X|| 2 
is larger than max gg c Pr(W' = g), then we will make progress to a more uniform distribution via 
Theorem |3.5| . We require that ||X|| and ||W|| be sufficiently large. We enforce this condition 
through Pr(7£j ^ A m ) > 5 and through Pr(Ki £ A m ) - m\A m \ > (1 - 5) - (1 - 0) = (3 - 6. This 
allows us to choose X and W' as in Figure ^. 

Let h{g) = max(0,Pr(72 i = 5 ) - m). Let Pr(J = 1) = Egechid) = E geG /l(s) = 
Pi(TZi E A m )-m\A m \. Define X so that Pr(X = g) = fi(g)/Pr(J = 1) = /i(<?)/£ fl ' eG h(g'). Let 
f 2 (g) = min(m,Pr(7^ = g)). Let Pr(K = 1) = E seG h{9) = Pr^ ^ A m ) + m|A m |. Define W 
so that Pr(W' = g) = f 2 {g)/Pr(K = 1) = h{g)/H g 'eG hi.9') and W is independent of X. Note 
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1) = EgeG fi(g)>l-25-(l-(3)=p- 25. Note that Pr(K = 1) = £ 9 g G f 2 (g) = 
+ m\A m \ and hence_5 < Pr(K = 1) < (1 - /3) + 25 = 1 + 25 - /3. 

Let X and TV of Theorem |3.5| correspond to X and W in our 
5| by 5' = 5/ Pr(K = 1) > 5/(1 + 25-/3) for 5 in our context. 



that Pr( J = 
Pr(7^ A, 

We wish to apply Theorem |3T5 
context 



Denote the 5 of Theorem 
The conclusion of the theorem then yields that for a fixed g drawn from the distribution of W, 

1/A, \\Xg^\\ 



with probability at least 1 



5' j2) \\X\\< a\\X\\, where 



2 + 35-2(3 
'2 + 45-2/3' 



We have H-X^^H/HXl! bounded above, and we wish to invoke Theorem |4.5| by identifying Z 
with IZi and A = supp(X) with A m . The conditions Pr(J = 0)Pr(y = g) = m for g G supp(X) 
and Pr( J = 0) Pr(y = g) < m hold also in our context. We invoke the theorem with a as above, 
and Pr(Z g A m ) = Pr(7£; £ A m ) < 25. Recall that Pr( J = 1) > (3 - 25. So, 



1 



> 



1 - A 



(Pr(J = l)) 2 /(m\A m \Pi(Z i A Tl 
2 + 35 -2(3\ {(3-25) 2 



+ D 



def 



2 + 45-2/3/ 1 + 2(1-/3)5 



< 1 



in Theorem 4.5 . The random variable W of Theorem 4J3 corresponds to g Ei in our current context 
and Z corresponds to IZi. To employ Theorem |4.5|, we also require that a < 1, from which, 



c < 1 — a 2 implies \/l — c < 1. For A > 1 sufficiently small, a < 1. 



Hence, < \/I — c < 1 and c is a constant determined by A, 5 and (3. So, we have \ \lZig El \\ < 
— c\\lZi\\ with probability at least (1 — 
= W' K T l ~ K , one sees that \\Tlig El \\ < 

l/\)Px{K = 



with probability at least (1 



1/A) for g drawn from the distribution of W. Since 
y/1 — c | \TZi\\ for g drawn from the distribution of W 
1)>(1-1/A)5. 





Figure 3: Case 2: Left shaded part is unnormalized probability density for X; right shaded part is 
unnormalized probability density for W' (shaded part has area less than 1) 



Case 2: (m < 5 and max 9eG Pr(7£j = g) < 1 — 5 and m|^ m | > 1 - (3 and Pr(V]~ Va G A OT ) < 
0.997) Intuitively, if Pr(PF'X G A m ) is small, then we will make progress toward a more uniform 
distribution via Corollary |3l| We enforce this through Pr(y i _1 V2 G ^m) < 0.997. We choose an X 
close to V2 and choose W' = V{~ 1 as in Figure |3|. One knows that \\X\\ and ||W'|| are sufficiently 
large, since m|^4 m | > 1 — /3. 

Let X be a random variable such that Pr(X = g) = Pv(TZi = g)/Pr(1Zi G A m ) for g G ^4 m 
and Px{X = g) = for g A m . Set W = Vf 1 . Set Pr(J = 1) = Pr(^ G A m ) and note that 
Pr(J = 1) > 1 - 25. Similarly, set Pr(i-T = 1) = m\A m \ and note that Pr(K = 1) > 1 - j3. 

One wishes to apply Corollary [D] with X and W. One shows that ||W'X|| < 
v / 0l)97||X||. By Lemma |2j, Pt(W'X = g) < max heG Pr{W = h) = l/\A m \. So \\W'X\\ 
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is maximized when Pr(W'X = g) equals l/|A m | or equals for all g. Note that 

supp(X) = A rn . Define Z and <j> = Pt(W X e A ra) as in Corollary |3.3| . Hence, Z — 

W'X\(W'X G Am). (Z is the random variable W'X conditioned on the event W'X & 

Am.) Note that one can write X P = V 2 j 'Y' j ' for Pr( J' = 1) = m\A m \ / Pr (TZi £ A m ) > 

(1 - P)/(l - 6). So 1 - </> = Pr(W'X^A m ) > ((1 - (3)/(l - 6))Pr(W'V 2 $ A m ) > 
0.003(1 - I3)/(1 

v 7 ! 



5). So 



W'X\\ < 

0.003(1 -/?)/(! -<*)II^J| < VI - 0-003(1 - /3)/(l 
Apply Corollary |3.3| , with X and W' as above, and with c 
Pr(iT = 1) = m|AJ > 1 



\Z\ 



< (l/\A m \W A m \(l - 0.003(1 - (3)/(l - 5)) < 
5) \\X\\ < v / 0997 ||X||. 

V0.997. With probability 
/?, a random g drawn from the distribution of TZi is as if g^ 1 were 
drawn from the distribution of W . Note that 4> < 1. Applying the corollary now yields < 



y/X(l + c(f>)/2\\X\\ < J\(l + V0.997)/2 \\X\\ with probability at least 1 - 1/A for g drawn from 

the distribution of W. We require A > 1 to satisfy A(l + VoWf)/2 < 1. 

We wish to apply Theorem [4.4] . (In fact, a variation of Theorem 4.4 is invoked for WZ in- 
stead of for ZW.) The random variable Y is defined by TZi P = X J Y 1 ~ J . To apply the the- 
orem, we need a positive constant c such that Pr(J = l)||X|| > cPr( J = 0)| |Y| |. Note that 
Pr(J = l)||X|| = Pr(J = l)||Z7 i i m ||. Note that Pr(J = 0)||Y|| < ^(25/m)m 2 = V2^6. Recall 
that \\U A J\ = 1/V\A; 



since Pr( J 



1)||X|| > Pr(J 
~\F\\U A I 

■n Sim 



m \ by Lemma gT2[ Hence, one can choose 
c=(l-25)/V2S, 
l)\\U Am \\>(l-25)\\U Am \\=cV2l\\U Ari 



>(l-25)\\U Ar , 

cV2~^6 > cPt(J = 0)\\Y\\. 



> c^25m\A m \ \\U A „ 



c^2m5/\\U A 

Theorem fOI is then invoked with the above c and with a 



A (1 + v / 0T997) 12. The W and Z 
of Theorem 4L4 correspond to g Ei and TZi in our context. So, | \g Ei lZi\ \ < ^(1 + ac)/VT+~?) H^-ill 
with probability at least (1 — 1/A) for g drawn from the distribution of W. Since W = W' K T l ~ K , 
one sees that | \g Ei TZi\ | < ^(1 + ac) /V 1 + c 2 J \\TZi\\ for g drawn from the distribution of W with 
probability at least (1 - 1/A) Pr(K = 1) > (1 - 1/A) (1-/3). 

For the inequality | \g Et TZi\ \ < ^(1 + ac)/Vl + c 2 ^j \\TZi\\ to be useful, we require that 

^(1 + ac)/\/l + c 2 ^j < 1. This is true if a < 1 and c is sufficiently large. For the former, we 



need only require that A > 1 be sufficiently small so that a = yA(l + \/0.997) /2 < 1. For the 
latter, it suffices to make 5 sufficiently small. We omit the computation of the explicit requirements 
for 5. 




Figure 4: Case 3: Shaded part is unnormalized probability density for X (shaded part has area less 
than 1) 



Case 3: (m < 5 and maxggG Pr(7£i = g) < 1 — 6 and m|^4 m | > 1 — f3 and Pr(F 1 x Vi S A m ) > 
0.997) Intuitively, one constructs an A' close to A m with A' A' a subgroup of G (Theorem f>.2\). 
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The argument then splits, based on whether A' A! is proper in G. If A' A' is proper in G, then we 
choose an X close to V\ as in Figure The random variable W = W will be the distribution of 
random subproducts on the generators of G. Under the conditions of Case 3, one then shows that 
a random subproduct gi drawn from W has probability at least 1/2 of satisfying A'g^ DA' = 0. 
Hence, Xgi escapes from the "fuzzy subgroup" A m with high probability (Theorem |5.2j). So Xg i i 
makes progress toward a uniform distribution. If, on the other hand, A 'A' = G, then one can show 
that U U fij is already close to uniform. 

We will first construct A' C A m such that A' A' is a group. The random variable X is then 
defined such that Pv(X = g) = Pr(7^ = g)/Vr{Ki G A') for g G A' and Pr(X = g) = for g £ A'. 
Let W = W be the distribution of random subproducts on the generators of G. Let Pr( J = 1) = 
Pr(7^ G A'). Note that Pr(J = 1) > 1 - 6. 

Since Pr(Vf x y 2 G A m ) > 0.997, Pr(Ff V 2 A TO ) = Pr(KfVi_= (V^Vi)- 1 £ ^m) < 0-003. 
Recall that V\ , V2 and U Am are identically distributed. Let V\ and V2 be independent random vari- 
ables with the same distribution as U AmC[A -i . Hence, Pr(V 1 1 F 2 £ A m H A^ 1 ) < P r (Xi ^2 ^ A m )+ 

Pr(Fj" 1 F 2 £ A" 1 ) < 0.006. 

We claim there exists an i'U m n A" 1 with A' A' a group, \A'A' \ A'\ < \A'\/2, and \A'\ > 
(9/W)\A m Pi A" 1 ). To see this, apply Theorem ^2 with the constants of Remark ^. In particular, 
k = 20. For a random (it, i>) drawn from V\ x V2, to ^ A m n A" 1 with probability less than 
0.006. So we conclude from Theorem ^2 that there is a A' C A m n A" 1 with A' A' a group, and 
((A^A" 1 ) \A'\ <2\A m nA m 1 \/k = \A m nA^ l 1 \/W. So, |A'| > (9/10)|A TO n A^l. The inequality 
|yl'yi'\A'| < I A' |/2 follows from applying the constant 5 = 1/4 of Remark | to |A'A'\A'| < j^IA'I 



in Theorem 5.2 



We claim \A m n A" 1 ] > 0.976|A m |. Since Vi and V 2 are independent, E(\(A^ l 1 V 2 ) Pi 
A m \/\A m \) = \{{u,v) G A m : u~ l v G A m }\/\A m \ 2 = Pr(Vf V 2 G A w ) > 0.997. Similarly, 
E(|(A-Vi) n A-Vl^ml) = E(|(Ff 1 A m ) n A m |/|A m |) = Pr(UfV 2 GA m ) > 0.997. Apply- 
ing Lemma [T| with its parameter A = 4 yields Pr(|(A m 1 V 2 ) n A m |/|A m | > 0.988) > 3/4 and 
Pr(|(A^Vi) n A~ 1 |/|A m | > 0.988) > 3/4. So, at least half of the elements h G A m satisfy both 
KA- 1 /!) n A m |/|A m | > 0.988 and \{A^h) n A~ x |/|A m | > 0.988. Choosing one such h yields 
IA- 1 n A m \/\A m \ > \A^h n A" 1 n A m |/|A m | > 0.976. 

Combining |A'| > (9/10)|A m n A" 1 ] and |A m n A" 1 ] > 0.976|A m | yields |A'| > 0.85|A m | = 
0.85|A m |. Recall that A' C A m , A' A' is a group, and |A'A' \ A'| < |A'|/2. If |A m | < (2/3)|G|, then 
I A' I < (2/3) I G| and so A' A' is proper in G (A' A' C G). 

Assume for the remainder of this case that \A m \ < (2/3) |G|, and hence A' A' C G. We show 
that HXg-^l I = ||X||/\/2 for g drawn from W, with probability at least 1/2. Let W be a uniform 
random variable on the random subproducts on the generators of the group G. By Lemma 2.4 , 
|A'A'| < |G| implies Pv(W £ A' A') > 1/2. Composing Pv(W £ A' A') > 1/2 with Lemma ^6 
implies that Pi(A'W n A' = 0) = 1/2. Since X = U A >, \\Xg Ei \\ = \\X\\/y/2 with probability at 
least 1/2 for g drawn from W. 

We wish to apply Theorem L4. The random variable Y is defined by IZi P = X J Y 1 ~ J . To apply 
the theorem, we need a positive constant c such that Pr(J = 1)||X|| > cPr(J = 0)||Y||. Recall that 
\\U Am \\ = l/y/\A m \ by Lemma |2~T2j and similarly \\U A >\\ = VVW]. Note that \A'\ > 0.85|A m | 
andPr(J= 1) > 1-/3 implies Pr(J = 1)||X|| = Pr( J = 1)||^ || = ^\A'\/\A m \ Pr( J = 1)| \U Am 1 1 > 
0.85(1 - /3)||^A m ||- Note that Pr(J = 0)||y|| < ^(25/m)m 2 = V2^5 < V2m5. Hence, one can 
choose 

c = 0.85(1 - 0)/V28, 

sin ce Pr(J = l) ||X|| > 0.85(1 - P)\\U A J\ = cV2d \\U Am \\ > c^25m\A m \ \\U Am \\ = 
c^2m6/\\U A J\ 2 \\U Am \\ = cV2^5 > cPr{J = 0)\\Y\\. 
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Theorem 4.4 is then invoked with the above c and with a = 1/V2. The W and Z of Theorem 4.4 
correspond to g Ei and IZi in our context. So, H^T^H < ^(1 + ac)/\Jl + c 2 ^j \ \lZi\ \ with probability 
at least 1 — 1/A for g drawn from the distribution of W. 

For the inequality | \g Et 7Zi\ \ < ((1 + ac)/Vl + c 2 ) \\Ki\\ to be useful, we require that 

1 + ac) / Vl + c 2 ) < 1. This is true if c > \/2. For this, it suffices to make 1 — j3 > 2y/~5. 



The preceding analysis demonstrates the following lemma. 

Lemma 6.2 Let IZi be independent and identically distributed to IZi. For any choice of positive 
parameters a, b and c in the Fibonacci cube algorithm, there are constants a < 1, p > 0, (3 > and 
i > such that for i > tlog |G| one of the following holds: 

(i) ||7£j+i|| < a||7?.j|| with probability at least p; or 

(ii) PriU^TZi = g)> (3/4)(l - (3) 2 /\G\ for all g£G. 

Further, Let cfi > 1. For i > ilog|G| + (4>/p)(l + (1/2) log-^ \G\), case ii above occurs with 
probability at least 1 — exp(— (cj)(l — l/</>) 2 /4) log 1( / Q 1^1). 

Proof: The proof follows from the analysis of the three cases just presented. As discussed in the 
analysis of Case 0, after a constant number of steps of the Fibonacci cube algorithm, Case will 
never again be revisited, with high probability. Therefore, after tlog |G| steps, for some constant i, 
the probability of ever revisiting Case will be less than exp(— log |G|). Hence, we can ignore 
Case for purposes of the analysis. 

We show that \A m \ < (2/3)|G| implies case i and that \A m \ > (2/3)|G| implies case ii. Assume 
first that \A m \ < (2/3) |C| . In each of the three cases, we concluded that ||7£j + i|| = | \TZig Ei \ \ < 
a||7?.j|| or ||7£j+i|| = | \g Ei lZi\ \ < a\\lZi\ \ with probability at least p for appropriate a < 1 and p > 0. 
(In Case 3, this conclusion need not hold if \A m \ > (2/3)|G|.) The parameters a and p are defined 
in terms of 0, 5, A and G for each of the three cases. 

In order to make the parameters a independent of the particular case, one chooses a to be 
the maximum of the three definitions for each of the three cases. In order to make p independent 
of the particular case, define pi, p2 and p^ to be the probabilities for the three cases. Then let 
p = mm(pi/ (ad), p2/(bd), ps/(cd)) for d = 1/a + 1/6 + 1/c. In particular, p can be maximized by 
choosing a = p±, b = p2 and c = p%, whereupon p = 1/(1/ p\ + 1/ p2 + 1/ ' Ps)- 

It remains to verify that the constants (3, 5 and A can be simultaneously chosen to meet the 
requirements of the analysis in Cases 1, 2 and 3. Recall that 1 > (3 > 25 > and A > 1. Collecting 
the bounds from Case 1, we require A > 1 to be sufficiently small that a = ■J ^+Ts^ ^' Collecting 
the bounds from Case 2, we require that A > 1 such that A(l + 0.997)/2 < 1. We further require 
that 5 be sufficiently small to satisfy (1 + ac) / \/T+~c 2 < 1 for c = (1 — 25) /V25. The bounds from 
Case 3 require that A > 1 and 1 — (3 > 2^/~5. 

There can be at most log 1 / Q \J\G\ = 0(log|G|) distinct instances of i such that ||7£i+i|| > 



a||7?.j||. To see this, note that ||7£o|| = 1 and > \\Ug\\ = 1/ y/\G\ for all i by Lemma [2.12| and 

that ||7£j+i|| < \ \R-i\ \ by Lemma 2. 1C| . 



With the probability in the statement of the lemma, we must show we are in Case 3 and 
I -^m | > (2/3) | G| with the stated probability after the stated number of steps. We will then show 
that this implies case ii. We define the i-th step to be a success if ||7£j+i|| < a||7^i||. So, at most 
l°Si/a successes may occur for distinct i. We know that for a given i, a success will occur 

with probability at least p, or else \A m \ > (2/3) \G\. 
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Consider Chernoff's bound (Theorem p.3[ ). Assume a success with probability at most p = p, 
and assume t = (1 + log 1 / Qi ^/|G|)/(/o(l — e)) trials. Chernoff's bound predicts at least [(1 — c)pt\ > 
VWI successes over t trials with probability at least 1 — exp(— e 2 pt/2). We have seen that 
more than log 1 / Q y/\G\ successes are impossible. So, with probability at least 1 — exp(— e 2 pt/2), we 
are in Case 3 and \A m \ > (2/3)|G| for some step j among the first t steps. Let e = 1 — l/4> for 
<fi > 1 . This yields the probability of the lemma. 

Hence, there is a j such that IZj is in Case 3 and \A m \ > (2/3) |G|. Combining the condition 
m\A m \ > 1 - p of Case 3 with |4 m | > (2/3)|G| implies that m > (1 - /3)/((2/3)|G|). Define a 
{0, l}-random variable J such that Pr(J = 1) = m|A m |. Note Pr(J =1) > 1 — /3. Let 7£j P = b 
X^y l ~ J for X = L^4 m . Let J be independent and distributed identically to J . Similarly, let X be 
independent and distributed identically to X. Then for V an arbitrary G-valued random variable, 
7Zj 1 V7Zj P = b (X~ 1 VX) j JY' 1 ~ j J for some G-valued independent random variable Y', 

We show that for an arbitrary G-valued random variable V, Pr(7Zj 1 V7Zj = g) > 
(3/4) (1 -f3) 2 /\G\ for all g G G when |4 m | > (2/3)|G|. With probability at least (1-/3) 2 , 
J = J = 1. Hence, with probability at least (1 — (3) , we can take nj x VKj = X^VX. Ap- 
plying Lemma |2.8| with A = A m and a = 2/3, one sees that X~ l VX is 1/2-uniform and that 
Pr(A-VX = 5 )>(|G|/3)/J J 4 m | 2 >(3/4)/|G|. ' 

We have seen V^n^VTlj = g) > (3/4) (1 - /?) 2 /|G|. We show that Pr^" 1 ^ = g) > (3/4) x 
(l-/?) 2 /|G| for all i > j. To see this, define X = 71^% = ViK^V/JljVs. For U uniform 
on G, we can write 7Z~ 1 V27Zj P = b {/^y 1- " 7 for J an independent {0, l}-random variable with 

Pr(J = l) = (3/4)(l -f3) 2 . So X P = (ViUV a ) J (VtYVs) 1 '- 1 . Lemma |J shows that VLtTT^ is 
uniform. So Pr(^ = g) > Pr(J = 1)/|G| = (3/4)(l - (3) 2 /\G\ for all g € G. □ 

For some applications, Lemma |6.2| may suffice, since it promises to produce each group element 
with a minimum probability (3/4)(l — (5) 2 /\G\. For an e-uniform random distribution, one must 
do a little more. The next section is concerned with producing an e-uniform distribution. 



7 Constructing e-uniform from £-semi-uniform 



Lemma 6.2 shows that for i sufficiently large, Algorithm Fibonacci Cube constructs an a-semi- 
uniform random variable, !Z~^ l lZi, with the stated probability for a = (3/4)(l — /3) 2 . This section 
shows that constructing a e-semi-uniform random distribution is tantamount to constructing a e- 
uniform random distribution. This is shown in the next theorem uses W = K7 l Kj in order to 
efficiently construct a /3-uniform random variable. 



Theorem 7.1 Let G be a group. Let W be an a- semi-uniform random variable on G. Let Vq be 
an arbitrary G-valued random variable. Let E{ be independent, uniform random variables on {0, 1}. 
For all i > 0, define Vi+i = Vigf 1 for gi drawn from the distribution ofW. Let 7 = 14/(11 + 3a). 
Then, Pr(P t = g) < 7/8 fort > 21og 7 |G| +log 7 (64A), with probability at least 1-1/A. Hence WV t 
is a m&x(a,7/8)-uniform random variable with probability at least 1 — 1/A. 

Proof: Define the set A = W- Pr(7^ = g) > (7/4)/|G|}. Note that |G \ A, t \ > (3/7)|G|, since 
otherwise \Ai\ > (4/7)|G|, which implies Pr(Pi G A { ) = Yl geA . Vi{Vi = g) > |Ai|(7/4)/|G| > 1. 

Define T; = EheAi( PT (Pi = h )~ (7/4)/|C|) 2 for i > 0. We will find an upper bound on E(T i+1 ) 
as compared to Tj. Define = Pr("Pj = h) — (7/4)/|G|. Hence x h i g -x\Ei = + x hg -i/2 since 
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Ei and V% are independent. Note that for i > 0, 

T l= Y, (Pr(P, = /») - (7/4)/|G|) 2 = £ (max(0,x,)) 2 . 

heAi heG 

E - 

We show that Ti+i < Ti for any value of <?j. Recall that "Pj+i = Vig i \ 
T i+ i = ( Pr (^f = ^ - (V4)/|G| ' 

heA i+1 

sr^ ( N 2 

= ^ (max(0,x M 



/i6G 



E (max(0, x/,/2 + x hg -i/2] 



heG 

< tE ( m ax(0, x A )) + - J2 ( m a x (0, a^i )) + 7> E max (°> max(0, x^-i] 

heG heG heG 

< T,/4 + T,/4 + Ti/2 

= T 4 

where the Cauchy-Schwartz inequality was invoked to show 



^max(Q,x h )m.ax(0,x hg -i) < / ^ (max(0, x/J) 2 (max(0, z^-i)) 2 = T { . 
heG V heG V heG 



Since is a-semi-uniform, by Lemma 4.1 we can write W = U V for G- valued random 
variables U and V, with U, V and J independent, [/ uniform, and Pr{J = 1) = 1 — a. Note that 
2(^y- + ; y) 2 < (x 2 +x 2 ) follows from elementary algebra. Note that x g < for g ^ A^. The notation 
E gi£ u(f(gi)) denotes E(/(£7)) for a function /(•) from G to the real numbers. Since U and V% are 
independent, if one conditions on J = 1 (implying that <?j is drawn from U), then the following is 
true. 

E 9i eum+t I J = 1) 

= E SieC /( £ (P^f = ft) - (7/4)/|G| 

\/l£G 



geAi #^A; 

2 



9^Ai 
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L4d |G\Ad 
|G| 2 2|G| 1 

Recalling that \G \ Ai\ > (3/7)|G|, one sees 

E gi eu(T i+ i | J = 1) < j^ T i + ^]^p ri - i4 Ti - 

Let 7 = 14/(11 + 3a). Then E(T m ) < E(Ti)//J. To see this, note E(T m ) = Pr(J = l)E(T m | 
J = 1) + Pr( J = 0) E(T m | J = 0) < (l-a)(ll/14)E(T i ) + aE(T i ) = (11/14 + 3a/14) E(Tj). An 
easy argument implies E(Tj + fc < E(Ti)//3 k . 

Let A > 1 and let t > 2 log 7 (8VA|G|) = log 1/7 (l/(8VA|G|) 2 ). Since T < 1, E(T t ) < 
1/(8VJ\G\) 2 . For A > 1 in Markov's inequality (Lemma JO]), one has Pr(T t < 1/(8|G|) 2 ) = 
Pr(T t < A/(8^|G|) 2 ) > Pr(T 4 < AE(T t )) > 1 - 1/A. So, 

Pr(T 4 < 1/(8|G|) 2 ) > 1 - 1/A for t > 21og 7 (8\/A|G|). 

Note that T t = E/ l6 A t ( Pr (^i = h ) ~ ( 7 / 4 )/|C|) 2 < 1/(8|G|) 2 implies that max fceG (Pr(Pi = /i) - 
(7/4)/|G|) 2 < 1/(8|G|) 2 . So m^ heG Pv(V t = h) < 15/(8|G|). If Pr(P t = 5 ) < (15/8)/|G| for 
all g G G, then by Lemma ^5| , (1 — a)/|G| < min ge GPr(Ty = g) < max gS G Pr(WVt = g) < 
max 5g GPr('P( = g) < (15/8)|G|. Hence ^ is max(a, 7/8)-uniform with the given probability. □ 



Corollary 7.2 Assume a random variable X on G is a- semi-uniform. Assume it costs c group 
operations to compute a group element drawn from the distribution of X. There is a fixed constant 7 
such that one can construct a ^-uniform random variable Y for which one can draw a group element 
from the distribution ofY using 0(c+log |G|/(1 — a)) group operations. The cost of constructing Y 
is 0(clog |G|/(1 — a)) group operations. 

The proof of the corollary is clear. 

Theorem 7.3 Let G = {S) be a black box group with \G\ < L. One can construct a e-uniform X 
such that the cost of computing a group element from the distribution of X is 0((log(l/e)) log |G|) 
group operations. The cost of constructing X is 0(log 2 |G| + \S\ log |G|). Where \G\ is not known 
a priori, one can replace \G\ by L in the asymptotic estimates. 

Proof: The timing of the Fibonacci Cube algorithm is immediate since 0(log|G| + l^l) group 
operations are required to compute each gi, and t = 0((log 1/e) log |G|). So, the timing of the 
pseudo-code is 0(log 2 |G| + |S| log |G|). To compute an element from the distribution of IZ^lZt 
then requires t = 0((log 1/e) log |G|) group multiplications, where each factor gf l of IZt contributes 
at most one to the number of multiplications. 

Lemma |6.2| shows that one can construct an a-semiuniform random variable X\ = 1Z~[ IZt for 
a = (3/4)(l -p) 2 in 0(61og|G|) steps for b = (<f>/p)/ log(l/a). Hence, 0(6 2 log 2 |G| + |5|log|G|) 
group operations are required to construct Ali. Computing an element from the distribution of X% 
costs 0(61og|G|) group operations. 

Corollary |7.2| shows that one can construct a 7-uniform random variable X2 using 
0(6 log 2 |G|/(1 — a) + 1 5 1 log |G|) group operations. One can compute a group element from the 
distribution of X2 using 0((b + 1/(1 — a)) log |G|) group operations. 
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Since j3, a, <fi and p are all constants, this implies that one can construct X2 using 0(log 2 \G\ + 
\S\ log \ G\) group elements and one can compute an element from X2 using 0(log \ G\) group ele- 
ments. 

It remains to construct an e-uniform random element from the give 7-uniform random element 
for arbitrary e > 0. We take the product of |~log 2 ej log 2 7] many 7-uniform elements drawn from 
the distribution of IZ^lZt- By Lemma 4.2, this suffices to produce an e-uniform random element. 

To compute an e-uniform random element requires 0(log 1/e) 7-uniform random elements. So, 
the number of operations to produce an e-uniform random element is 0((log 1/e) log |G|). □ 



Remark 3 Chernoff's bound shows that the probability of error can be further reduced by a power 
of n at the cost of multiplying t by the factor n. 



Theorem [7j states a complexity of 0(\og 2 \G\ + \S\ log |G|) group operations. In the unusual 
case that IS"! > 0(log there is a black box algorithm to quickly produce a smaller generating 
set flBCF+91| , |CF93|| . We quote that theorem here. 



Theorem 7.4 (from [ pCF+91| , Theorem 2.3]) LetG= (S) be a finite group. Let L be a known 
upper bound on the length of all subgroup chains in G. Then for any fixed parameter p such that 
< p < 1, with probability at least p one can find a generating set S' with \S'\ = 0(Llog(l/(l— p))), 
using 0(\S\ logLlog(l/(l — p))) group operations. 



8 Experimental Results 

The current results are highly preliminary. For the Fibonacci cube algorithm, we initialize the first 
elements of the cube to be the group generators. We take the parameters a = 6 = c = lasa 
simple heuristic choice. We compute only TZ^ 1 ^, which, in principle, is e-semi-uniform, but not 
necessarily e-uniform. We take t = 20, 25, and 30. After the precomputation of the g\, ... , 520 that 
determine TZJ IZt, we draw 10,000 elements from the distribution of 1Z^~ TZt- 

The table shows the results of tests on the distribution of IZ^lZt according to a partition into 
conjugacy classes. (The conjugacy class of g G G is {g h :h G G}.) The groups tested on are all 
simple groups. Later experiments will consider other parameters than a = b = c = 1. They will 
incorporate the ideas of Section [?]. They will also look at distributions over other group partitions 
than that of conjugacy classes. 

The x 2 distribution was applied with a critical value of 0.05. The x 2 test accepts the hypothesis 
of uniform randomness when the observed x 2 statistic satisfies x 2 < X 2 o5- 

The number of degrees of freedom in the x 2 test is one less than the number of conjugacy 
classes. However, in most tests, the smaller conjugacy classes showed fewer than five observations. 
Hence, the smallest conjugacy classes have been merged so that the smallest set in the partition has 
just enough conjugacy classes to have at least five observations. The number of degrees of freedom 
is then adjusted accordingly, as one less than the number of final categories. 

These experimental results are intended only to demonstrate the quality of the random elements 

in computer experiments. In principle, the distribution g^o^ 20 ' • • • > 9i lE2 ° 1 df 1 1 ■ ■ ■ >920° can P ro ~ 
duce at most 2 40 ~ 10 12 group elements. This is not too much larger than the order of the groups 
being tested. Hence, the experimental distribution of the individual group elements is most likely 
not close to uniform. However, the x 2 test shows that an empirical computation will not be able 
to distinguish the distribution of group elements according to conjugacy class from a distribution 
based on uniformly random group elements. 
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Group G 


\G\ 


terms (t) / 
precomp. (group op's) 


total num classes/ 
X 2 degrees freedom 


x' 2 probability 


A .05 


M 24 


2.4 x 10 8 


20/60 


26/22 


12.3 


33.9 


McL 


9.0 x 10 s 


25/98 


24/20 


35.6 


31.4 


SL(7, 2) 


1.6 x 10 14 


25/110 


117/98 


112.0 


122.1 


Suz 


4.5 x 10 11 


30/184 


43/32 


27.3 


46.2 


A 15 


6.5 x 10 11 


30/204 


94/68 


52.0 


88.2 



The x 2 test accepts the hypothesis at the 0.05 significance level for all groups, except the 
McLaughlin group (McL). The McLaughlin group is accepted at the 0.01 significance level. By 
using the ideas of Section [5], we are able to pass the x 2 test for McL at the 0.05 significance level. 
We achieve x = 15.5 for 20 degrees of freedom using only 15 group operations per random element. 
(TZis 72-15, 72i5 = 9\ x " " ' 9ii 5 1 9i chosen based on Section ^) 

Detailed distributions are provided in the context of the McLaughlin group in the appendix. 

9 Product Replacement 

The Fibonacci cube algorithm can emulate a variation of the product replacement algorithm, which 
produces an e-uniform random element in 0(log 2 \G\) steps. This should be compared with the 
work of Pak |PakO0| 1 to produce nearly random k-sets (not elements) in the limiting distribution in 
0(log 9 \G\) with k = 0(log \G\ log log |G|). 

To see this, choose k = 0(log|G|) and modify the product replacement algorithm so that at 
each step, a randomly chosen element, gi, of the k-set is chosen and all other elements of the k-set 
are multiplied by gi. Further, after the i-th element has been chosen, it should not be chosen again. 
After 0(log |G|) steps, an element of the k-set that has not yet been chosen will have an e-uniform 
distribution. The proof is modelled on the proof for the Fibonacci cube algorithm. Further details 
will be provided in a different paper. 



10 Permutation Group Membership 

Precomputation of a group membership data structure for permutation groups allows one to com- 
pute group orders, find random elements, test an arbitrary permutation for group membership, etc. 
There are at least four such group membership data structures: Sims's Schreier vectors (or Schreier 
trees) |Sim71 ], Knuth's data structure [ |Knu91| , Jerrum's labelled branchings [Jer86], and the deep 



sift data structure of Cooperman and Finkelstein | CF93}| . 



If n is the permutation degree and b < n is the size of a base, then b < log |G| < 61ogn. Schreier 
vectors require 0{bn) group operations in the worst case, but 0(log|G|) operations typically, to 
produce a random element. Knuth's data structure and deep sift require 0(log |G|) operations to 
produce a random element. Jerrum's data structure requires 0(b) operations to produce a random 
element. While the first three data structures require space proportional to the time to produce 
a random element, Jerrum's data structure has the disadvantage of requiring space for 9(n) group 
elements. 

Cooperman and Finkelstein [|CF94| , Theorem A] had previously demonstrated a random base 
change algorithm requiring 0(log |G|) random group elements as input. The base change algorithm 
produces a group membership data structure, thus solving permutation group membership. The 
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original paper assumed that the random group elements came from a Schreier vector, but the result 
of this paper provides an alternative source of such random elements. Combining this paper with 
the random base change algorithm and any of the four group membership data structures yields a 
Monte Carlo group membership algorithm operating in 0(log 2 \G\) group operations. 

Prior to this, the fastest general algorithm was the deep sift algorithm of Cooperman 
and Finkelstein, requiring 0(n 2 log 4 n) group operations, and the fastest small base algorithm 
Babai, Cooperman, Finkelstein and Seress [BCFS91], required 0(log 3 \G\ + b 2 log 2 \G\ log(6 + 
log n) | b 2 (log b) (log 3 | G\) (log n)/n) group operations. In both cases, the 0(log 2 |G|) group opera- 
tions using the new Fibonacci cube algorithm represents a significant improvement. 

Any of these Monte Carlo algorithms can be upgraded to Las Vegas by applying a strong 
generating test afterwards. The danger with Monte Carlo algorithms is that they may not produce 
enough group elements to form a full strong generating set. Cooperman and Finkelstein [ CF91| 
demonstrate a 0(log 3 |G|) algorithm for testing if a set of group elements forms a strong generating 
set. (In fact, the algorithm is 0(n 4 ) for a permutation group acting on n points.) 



11 Conclusion 

The Fibonacci cube algorithm has been demonstrated to produce a 7-uniform random variable in 
0(log 2 |G|) group operations. From that distribution e-uniform elements with 0((log 1/e) log |G|) 
group operations can be computed. The algorithm is asymptotically faster than previous theoretical 
algorithms and also empirically faster than the product replacement heuristic for many groups. The 
faster random generation algorithm also yields a faster permutation group membership algorithm. 

The coefficient of complexity of the Fibonacci cube algorithm analyzed in this paper is still 
unacceptably high. This may not be an issue for computations that have an independent check 
for correctness, such as Las Vegas algorithms, since the experimental results are competitive. An 
expanded version of this paper will refine the analysis to produce a smaller coefficient of complexity. 

The large coefficient arises due to the constant 0.997 arising from Section ||. In Theorem |5.2| , 
we are too greedy in demanding that A' A' = A' = A'~ l (and therefore A'g \ A' = 0). If we prove 
only that A' A' does not differ greatly from A', we can still prove that a random subproduct has 
reasonable probability of allowing us to escape the set A'. 
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Appendix: Computational Experiment 



This appendix is a quick note on a computation suggested by Persi Diaconis. It is about a quick 
computational experiment. It is not intended to be a polished document. 

I test McLaughlin's group (McL). I compare the true distribution of elements according to the 
conjugacy classes, with the distribution according to conjugacy classes produced by the random 
generator of the paper. 

I take the constants a = 6 = c = lin the Fibonacci Cube algorithm. I use only the Fibonacci 
Cube algorithm, which in principle produces only a semi-uniform random variable. That is, in 
principle, this distribution will satisfy only 

V<? G G, Pr(A = g)> a/\G\ 

The paper has an additional step for producing nearly uniform random variables. I will test 
the full algorithm at a later date. I suspect the full algorithm will represent an improvement. But 
for now even the semi-uniform random variables seem to be close enough to uniform. 

The code was written using GAP 4.2. The test here is for McL (McLaughlin group), of or- 
der 898,128,000, with 2 generators, based on a permutation representation on 275 points. The 
representation is provided by Walter Kim, U. Chicago, Feb., 2000. 

For McLaughlin's group, there are 24 conjugacy classes. For each conjugacy class, Cj, I compute 
an integer, [Cj/10 6 ]. This is for convenience, since GAP doesn't handle floating point. Since 
X)[Ci/10 6 ] = 886, I test the random generator by generating exactly 886 elements, and test their 
distribution into conjugacy classes. 

In each case, the first row is the distribution of elements produced by the random generator 
(the number of elements in each of the 24 conjugacy classes). The second row corresponds to the 
true distribution, normalized to the form [Cj/lO 6 ]. The notation 30 terms means that TZ^o was 
computed in the notation of the paper. The 0(log 2 |G|) precomputation refers to the computation 
of gi, . . . ,530 for 7^-30 = gf 1 • • • g§f° . The 886 random elements are then each drawn from TZ^qTZ^q. 
This is the 0(log|G|) computation. On average, the 0(log|G|) computation of a random element 
from T^-gQ 1 7^.30 costs 30 group operations per random element (29 multiplications and one inverse). 

Note that for less than 20 terms, there are too many pseudo-random elements in the first, third, 
tenth and eleventh conjugacy classes. This experimental observation reflects the theoretical model, 
which states only that 1ZJ TZ{ is semi-uniform. A future experiment will also test the theory of 
Section |7| for converting semi-uniform to e-uniform. This should be more efficient in producing 
e-uniform random elements. 

Experiment 1 : 

30 terms, 174 group operations for 0(log~2|G|) precomputation. 30 ops/rand elt. 
[ 0, 38, 0, 31, 20, 32, 22, 0, 43, 0, 2, 12, 82, 75, 55, 68, 62, 72, 78, 102, 2, 31, 25, 34 ] 
[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 

Experiment 2 : 

30 terms, 144 group operations for 0(log~2|G|) precomputation. 30 ops/rand elt. 
[ 0, 31, 0, 33, 34, 27, 19, 0, 24, 0, 1, 13, 76, 79, 72, 64, 59, 94, 75, 105, 3, 29, 28, 20 ] 
[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 

Experiment 3 : 

20 terms, 74 group operations for 0(log~2|G|) precomputation. 20 ops/rand elt. 

[ 0, 46, 3, 25, 23, 27, 35, 0, 19, 0, 2, 7, 66, 69, 49, 50, 71, 94, 72, 137, 1, 41, 29, 20 ] 

[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 
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Experiment 4 : 

20 terms, 88 group operations for 0(log~2|G|) precomputation. 20 ops/rand elt . 
[ 0, 32, 1, 32, 31, 31, 18, 0, 22, 1, 3, 11, 78, 66, 49, 67, 76, 81, 74, 120, 0, 39, 23, 31 ] 
[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 

Experiment 5 : 

15 terms, 48 group operations for 0(log~2|G|) precomputation. 15 ops/rand elt. 
[ 1, 44, 23, 38, 32, 27, 33, 0, 25, 9, 8, 11, 72, 50, 59, 50, 56, 79, 72, 104, 4, 31, 33, 25 ] 
[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 

Experiment 6 : 

15 terms, 44 group operations for 0(log~2|G|) precomputation. 15 ops/rand elt. 
[ 8, 41, 54, 44, 36, 12, 14, 0, 10, 17, 11, 6, 94, 34, 46, 50, 69, 82, 71, 54, 1, 38, 52, 42 ] 
[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 

Experiment 7 : 

10 terms, 21 group operations for 0(log~2|G|) precomputation. 10 ops/rand elt. 
[ 0, 47, 54, 55, 53, 11, 14, 1, 6, 30, 8, 11, 96, 47, 66, 44, 42, 80, 74, 39, 4, 45, 37, 22 ] 
[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 

Experiment 8 : 

10 terms, 19 group operations for 0(log~2|G|) precomputation. 10 ops/rand elt. 

[ 17, 49, 82, 27, 28, 10, 12, 0, 15, 30, 7, 7, 101, 36, 26, 40, 54, 110, 107, 12, 0, 46, 51, 19 ] 

[ 0, 35, 1, 29, 29, 29, 29, 0, 29, 0, 2, 9, 74, 64, 64, 64, 64, 81, 81, 112, 0, 33, 33, 24 ] 
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